Bugtraq mailing list archives
Re: QPopper 4.0.x buffer overflow vulnerability
From: Harald Hellmuth <hh () hostserver de>
Date: Thu, 13 Mar 2003 08:12:47 +0100
On Tue, 11 Mar 2003 19:05:51 -0800 Randall Gellens <rg_public.1 () flagg qualcomm com> wrote:
The first I heard of the problem was this morning. Was any notice sent to qpopper-bugs () qualcomm com or qpopper-patches () qualcomm com in advance of the posting here? If so, please let me know the details so I can see what happened to the message. If not, I'd like to know why. A fixed Qpopper (version 4.0.5fc2) is available now at <ftp://ftp.qualcomm.com/eudora/servers/unix/popper/beta/>. I plan on releasing 4.0.5 final tomorrow unless I hear of any problems with 4.0.5fc2. -- Randall Gellens rg_public.1 () flagg qualcomm com Opinions are personal; facts are suspect; I speak for myself only
Hello, Yesterday(2003-03-12) I've sent the following email to qpopper-bugs () qualcomm com: ------------------------------ snip --------------------------------------- Dear Sir or Madam, Florian Heinz posted an exploit to gain shell access through qpopper. See http://nstx.dereference.de/snippets/qex.c. The reason is an unterminated bufferstring in Qvsnprintf. I looked at version 4.05fc2 and there is a change, but i think that change isn't correct. /* From File common/snprintf.c */ if ( nSize == 0 && *p != '\0' ) { *s = '\0'; return -1; } else return ( (n-1) - nSize ); /* when string that should be written to the buffer fits exactly, * than there will no Zero-Byte be written to buffer, cause the for * loop terminates when nSize is 0 and the terminating '\0' of p is not * copied to buffer ;-( */ Ithink, it should be written as : if ( nSize || *p=='\0') { *s++ = *p; return ( (n-1) - nSize ); } else{ *s++ = '\0'; return -1; } Please excuse my bad english. regards Harald Hellmuth ------------------------------ snap --------------------------------------- with best regards -- Harald Hellmuth E-Mail: hh () hostserver de
Current thread:
- QPopper 4.0.x buffer overflow vulnerability Florian Heinz (Mar 11)
- Re: QPopper 4.0.x buffer overflow vulnerability Torsten Mueller (Mar 12)
- Re: QPopper 4.0.x buffer overflow vulnerability Florian Heinz (Mar 12)
- Re: QPopper 4.0.x buffer overflow vulnerability Randall Gellens (Mar 12)
- Re: QPopper 4.0.x buffer overflow vulnerability Florian Heinz (Mar 12)
- Re: QPopper 4.0.x buffer overflow vulnerability Harald Hellmuth (Mar 13)
- Re: QPopper 4.0.x buffer overflow vulnerability Jaroslaw Zachwieja (Mar 12)
- RE: QPopper 4.0.x buffer overflow vulnerability Jonathan A. Zdziarski (Mar 12)
- <Possible follow-ups>
- Re: QPopper 4.0.x buffer overflow vulnerability Jonas Frey (Mar 11)
- Re: QPopper 4.0.x buffer overflow vulnerability Torsten Mueller (Mar 12)